Prototype Pollution

CVE-2020-7766 is a prototype pollution vulnerability in the json-ptr JavaScript package affecting all versions [1][3]. The flaw resides in the set() method when the force flag is set to true; the function recursively sets properties on the target object without proper validation of the key being set, enabling pollution of Object.prototype [1].

An attacker can exploit this by crafting a JSON pointer that includes prototype keys like __proto__ or constructor, causing the recursive property assignment to modify the global prototype chain [2][3]. No authentication is required if the attacker can supply input to the set() function, such as in applications that parse user-supplied JSON pointers with force mode enabled.

This can lead to denial of service, property injection, or potentially remote code execution if the polluted properties affect application logic [2][3]. The vulnerability has been addressed in a pull request [4] but the repository is archived and may no longer receive updates; users should switch to maintained alternatives or avoid using force flag with untrusted input.